Also, once an access group is configured on an interface, all traffic not specifically permitted by an ACL is dropped by the implicit deny all the system supplies at the end of the last configured access group

It is however possible to cheat

Page 682

ACLs support TCP flags. If multiple flags are set (+flag) in a single rule, only packets with the all the same flags asserted are matched (logical AND). Likewise, if multiple flags are cleared (–flag) in a single rule, only packets with the same flags cleared are matched. The established keyword matches TCP packets with either the RST or ACK bits set (logical OR)

The above method however "trusts" the network, and is therefore NOT secure, as packets that would normally be dropped can be created that would go through the ACL.

In comparison, a Cisco ASA has a session state table, which you can see with the command "show conn". Having a session state table means that the ASA does not need to "trust" the network